"Will Any Password Do?" Exploring Rate-Limiting on the Web

Abstract

We empirically analyzed whether and how real-world websites take appropriate measures to prevent unauthorized accesses to their users' accounts. We tried to get access to our own accounts on 12 different services, pretending to have forgotten our password and entering alternatives before taking further measures. Our findings indicate that providers' measures to counter trawling online guessing attempts widely differ. We faced CAPTCHAs, temporal blocking, and lockouts from our accounts. We observed that large services combine many mechanisms. In the trade-off between security and usability smaller sites lock down accounts and involve their users. We even observed a service that didn't rate-limit at all, which burdens users with strong passwords.